Quick Launch

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates

POLICY NAME

Web and E-Commerce

EFFECTIVE DATE

July 23, 2007

POLICY NUMBER

ISO-011

v2.0

POLICY STATEMENT

The web presence of the university is to securely provide information, allow for interactive functions and promote a positive image of the university to other universities, accrediting agencies, funding agencies, the media, prospective students, their families, and the public.

REASON FOR POLICY

To establish standards and responsibilities regarding the use and creation of web pages and e-commerce sites.

Privacy laws, regulations and standards of the university must be followed. All sensitive information must be managed appropriately so that unauthorized access to sensitive information is prevented. Sensitive information should not be placed on or collected by any website that does not utilize proper security controls (i.e., secure login and certificates).

The university reserves the right to disable and/or remove the web page links, publishing capability or internet accessibility of university managed servers that are used to: violate university contractual obligations; perpetrate, aid or abet criminal acts; violate intellectual property/copyright; make accessible materials that are obscene; or which consume (or result in the consumption of) excessive amounts of computing or network resources.

A risk assessment must be conducted on all electronic commerce systems to ensure that appropriate information security controls are identified and implemented (e.g., authentication, authorization, encryption and other controls) to mitigate risks (the system must meet PCI-DSS, PA-DSS and any other regulated compliance requirements as determined by the nature of the data).

Web and e-commerce sites must not use any other organization's trademarks or service marks anywhere unless the usage reflects the actual attributes of company products or services, and appropriate legal and compliance review has been obtained, including obtaining when necessary, advance permission from the other organization.

University School, Department, Unit or other University entity web pages

Security of entity pages on the University of Louisville website are the responsibility of the school, departmental, unit, group or other university entity which creates and maintains them.Pages must comply with security guidelines outlined in this document as well as other applicable university guidelines.

Security of individual pages on the University of Louisville website is the responsibility of the person to whom the access is assigned and must comply with the security guidelines outlined in this policy as well as other applicable university guidelines.

For information regarding content of individual web pages, please contact the Office of Communications and Marketing.

Technical standards (all websites):

All enhanced capabilities configured on web pages must be deployed with security in mind. The website creator must use appropriate settings for any enhanced capabilities deployed to prevent or minimize opportunity to misuse or exploit the enhanced capability.

Example: Use of a form to generate an email to the web page owner: Care must be taken to ensure that settings for the form mail are such that the form mail cannot be used to generate SPAM.

The standards outlined in IS PS010 Network Service must be followed. Pay special attention to the Connecting to University affiliated computing resources from outside the University network section.

All servers and devices within the university's and department's network that are accessible via public networks, including Internet commerce servers, payment servers, database servers and web servers must be placed on subnets separate from internal networks and protected, monitored and secured by properly configured firewalls, intrusion detection systems and appropriate access control methods.

Software Standards:

University School, Department, Unit or other University entity web pages

The Plone Content Management System (CMS) is the recommended website management software. The CMS's built-in capabilities are configured by the Information Technology Division to maintain a high level of security.

Software provided by the University of Louisville may not be copied to any storage media, transferred to another computer, or disclosed to outside parties without permission from the contract, IT, and/or the IT departmental representative. See IS PS003 Intellectual Property

DEFINITIONS

Sensitive Information

Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms)(seeInformation Management and Classification Standard)

RESPONSIBILITIES

Policy Authority/Enforcement:The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance:Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

HISTORY

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.

Approved July 23, 2007 by the Compliance Oversight CouncilShirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council